6 tips to help avoid smishing scams

Smishing is a form of fraud that primarily takes place through texts on mobile devices. Learn how to detect and avoid this common type of scam.

 

5 minute read

Key takeaways

  • Smishing is phishing delivered by text — known as short message service (SMS) — to mobile phones and messaging applications.
  • A phish is any type of electronic communication that aims to steal personal or proprietary information for fraudulent purposes.
  • Be wary of responding to text messages from an unknown sender, especially if the message includes a link, asks for money or sounds urgent.

Smishing is a fast-growing version of one of the internet’s oldest and most successful scams. Like any other type of phishing, smishing aims to trick you into handing over sensitive data and information. Instead of using email, cybercriminals send their messages via text or short message service (SMS). Smishing attempts are typically sent to mobile phone users as standard texts, but they can also be sent via popular messaging apps.

 

Smishing is a form of social engineering where scammers exploit emotions like fear, sympathy, curiosity or greed to incentivize individuals to divulge personal or business information. They do this by sending fraudulent texts to your phone, purporting to be from a trustworthy source like a delivery service, utility company, bank or government agency. The information they seek could include usernames, passwords, credit card numbers, bank account numbers, vendor names or other proprietary data. Cybercriminals then sell that data on the black market or use it to commit identity theft, empty bank accounts or redirect payments to themselves.

In 2024, consumers reported losing $470 million to scams that started with text messages.1

Email phishing remains one of the most dangerous channels for organizational cyberattacks, but smishing is still appealing to cybercriminals.2 Criminals use compromised phone numbers and spoofed or hacked accounts on popular messaging platforms to fake their identities. Smishing messages often contain links that take users to a website that may look legitimate, but the site is designed to steal usernames, passwords and other data. Some messages can even contain links or attachments that secretly install malware on victims’ mobile devices.

 

Common smishing scams

 

Making false promises

Criminals employ a wide variety of smishing tactics to convince people to part with personal data and money. They may make false promises of:

  • Gift cards, prize money, or other winnings
  • Low-interest or no-interest credit cards
  • Coupons and other discounts
  • Student loan debt forgiveness

 

Posing as legitimate companies

Smishing attempts may allege to be from legitimate companies with questions about your account or transaction. They may:

  • Claim to be a customer service representative needing to verify account information
  • Want to discuss a recent suspicious charge or problem with your payment
  • Send a fake invoice and ask you to contact them if you didn’t authorize the purchase
  • Pretend to be a package delivery notification or tracker
  • Claim to be from one of several legitimate toll payment companies

 

Preying on charity

Smishing criminals may even prey upon your charitable impulses by:

  • Requesting donations after a natural disaster or other catastrophic event, such as hurricane or wildfire relief
  • Posing as people you may know, such as a community organizer or politician who would collect monetary contributions   

6 ways to protect against smishing

  • Don’t click hyperlinks in texts from suspicious or unknown numbers. This is doubly true if the link is an abbreviated URL. When used in SMS messages, shortened URLs are often an indicator that cybercriminals are trying to mask overtly fake URLs.
  • Be wary if urged to pay or give out sensitive information. Pause and verify to see if the source is legitimate and trustworthy.
  • Never respond to texts from unknown or suspicious numbers – even to tell them to stop. Doing so will let scammers know your number is active, and you could be added to spam lists and harassed further.
  • Always keep your phone’s operating system up to date to protect against malware hidden in smishing links.
  • Pay attention to social engineering red flags, such as urgent messages or get-rich-quick schemes. If it seems too good to be true, it probably is.
  • Don’t trust texts asking for personal information, even if they claim to come from real organizations. Remember that government agencies and legitimate companies — including Bank of America — will never text you asking for account details. If there’s any doubt, contact that person or organization through another trusted channel.

1 "New FTC data show top text message scams of 2024; overall losses to text scams hit $470 million.” Federal Trade Commission, April 16, 2025.

2 “Email phishing is still the main way in for hackers: report.” CSO, Aug. 15, 2023.

Fraud & Cybersecurity

New threats emerge every day that can negatively impact transactions and businesses. Explore the latest insights and resources to help prepare and protect you and your business.

Explore more

Imposter scams are on the rise: Here’s how to manage the risks

As criminals impersonate trusted figures and set up fraudulent websites, education is the best defense.

5 minute read

How to avoid telephone scams

Learn tips on how to avoid falling for the latest “vishing” tricks

5 minute read